THE DATA PROTECTION ACT 2018 
(PART 6, SECTION 149) 


ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER 


To: 


Of: 


ENFORCEMENT NOTICE 


Emailmovers Limited 


C/O Jackson Robson Licence 
33-35 Exchange Street 
Driffield 

East Yorkshire 

YO25 6LL 


The Information Commissioner (“Commissioner”) has decided that it 
would be appropriate to issue Emailmovers Limited (“EML”) with an 
enforcement notice under section 149 of the Data Protection Act 
2018 (“DPA”) based on a failure by EML to comply with Art 5(1)(a) 
of the General Data Protection Regulation EU2016/679 as it forms 
part of the law of England and Wales, Scotland and Northern 
Ireland by virtue of section 3 of the European Union (Withdrawal) 
Act 2018 (“UK GDPR”). 


This notice explains the Commissioner’s reasons for that opinion. 


A Preliminary Enforcement Notice was given to EML on 4 September 
2019 and an opportunity to make representations was provided. A 
further opportunity to make representations was also afforded to 


EML on 23 April 2021. The Commissioner has considered those 


representations and taken them into account in determining 


whether an Enforcement Notice should be issued. 


Legal Framework 


4. 


Controller 


The Commissioner is of the view that EML is a controller as defined 
in Article 4(7) of the UK GDPR and section 6 of the Data Protection 
Act 2018 (“DPA”). A controller is “the natural or legal person, public 
authority, agency or other body which, alone or jointly with others, 


determines the purposes and means of the processing of personal, 
data”. 


Although EML characterises itself as a processor, the Commissioner 


does not accept that characterisation for the reasons set out below. 


The obligation to process data fairly, lawfully and transparently 


6. 


Personal data must be “processed lawfully, fairly and in a 
transparent manner in relation to the data subject”: UK GDPR Art 
5(1)(a). This provision is supplemented by Recital 39 which 


provides, relevantly: 


“Any processing of personal data should be lawful and fair. It should 
be transparent to natural persons that personal data concerning 
them are collected, used, consulted or otherwise processed and to 
what extent the personal data are or will be processed. The 
principle of transparency requires that any information and 
communication relating to the processing of those personal data be 
easily accessible and easy to understand, and that clear and plain 


language be used. That principle concerns, in particular, information 


to the data subjects on the identity of the controller and the 
purposes of the processing and further information to ensure fair 
and transparent processing in respect of the natural persons 
concerned and their right to obtain confirmation and communication 
of personal data concerning them which are being processed. 
Natural persons should be made aware of risks, rules, safeguards 
and rights in relation to the processing of personal data and how to 


exercise their rights in relation to such processing.” 


7. Recital 58 also emphasises the need for transparency in processing: 


“The principle of transparency requires that any information 
addressed to the public or to the data subject be concise, easily 
accessible and easy to understand, and that clear and plain 
language and, additionally, where appropriate, visualisation be 
used. Such information could be provided in electronic form, for 
example, when addressed to the public, through a website. This is 
of particular relevance in situations where the proliferation of actors 
and the technological complexity of practice makes it difficult for the 
data subject to know and understand whether, by whom and for 
what purpose personal data relating to him or her are being 


collected, such as in the case on online advertising ...” (Emphasis 
added) 


Lawful bases of processing 


8. Processing will only be lawful where at least one of the 
circumstances in UK GDPR Art 6(1) applies. Those circumstances 


include: 


“(a) the data subject has given consent to the processing of his or 


her personal data for one or more specific purposes” 
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10. 


11. 


Consent is defined in the UK GDPR as “any freely given, specific, 
informed and unambiguous indication of the data subject’s wishes 
by which he or she, by a statement or by a clear affirmative action, 
signifies agreement to the processing of personal data relating to 


him or her”: Art 4(11), see also Recital 32. 


The conditions for “consent” are set out in UK GDPR Art 7. Article 


7(1) states, relevantly: 


“1. Where processing is based on consent, the controller shall be 
able to demonstrate that the data subject has consented to 


processing of his or her personal data.” 


Where consent is relied upon as the basis for processing, the data 
subject “should be aware at least of the identity of the controller 
and purposes of the processing for which the personal data are 
intended”: UK GDPR Recital 42. 


Commissioner’s Powers 


12. 


If the Commissioner is satisfied that a person has failed, or is 
failing, to comply with a provision of Chapter II of the UK GDPR, the 
Commissioner may give the person an Enforcement Notice requiring 
them to take within such time as may be specified in the Notice, or 
to refrain from taking after such time as may be so specified, such 
steps as are so specified: DPA 2018 s 149. 


Background 


13. 


EML is a company that advertises its services as including email 


data, email cleansing, email marketing and data appending. 
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14. 


15. 


16. 


According to its website, it licenses in a wide range of personal data 
which includes email addresses, gender, age, employment status, 
and income bracket. It markets itself as having a “GDPR and PECR 


compliant email database”. 


On 31 January 2018, during an operation conducted by the 
Information Commissioner, EML provided 7000 records consisting of 
personal ID numbers, forenames, surnames, dates of birth, 
postcodes, mobile numbers (for some entries), email addresses (for 
some entries) and landline numbers to members of the 
Commissioner’s Enforcement Team. The data was provided 
pursuant to a 12 month licence. 15% of the records related persons 
between the ages 75-79 and 1% related to persons over 80. The 
Commissioner expressly does not rely upon this sale otherwise than 
as background for the purposes of this Enforcement Notice. This 
failing occurred prior to the implementation of the GDPR and, 
although the Commissioner is able to rely upon enforcement powers 
available to her under the Data Protection Act 1998 (see DPA 2018 
Sch 20, Pt 7, para 33(1)(b) she has elected not to do so in this 


case. 


Following this sale, the Commissioner commenced an investigation 


into EML’s data protection practices. 


In the course of that investigation, EML informed the Commissioner 
that: 


a. it was a processor with respect to the personal data sourced 
on behalf of a client for the purposes of business to consumer 


marketing; and 


b. its business to consumer data was provided by ME 


(now known as i) . 


EML is a controller, not a processor 


17. While the Commissioner notes that EML characterises itself as a 
processor under the GDPR in relation to business to consumer 
marketing, the Commissioner does not accept that this 


characterisation is correct for the reasons that follow. 


18. As part of its first round of representations to the Commissioner, 
EML produced a document setting out the “Legal and Commercial 
Terms for the Supply of Commercial and Personal Data” (“Terms”), 
which included as an appendix, a data processing agreement 
(“Processing Agreement”). The Terms, containing the Processing 
Agreement, were executed on 25 July 2018. EML relies upon this as 


evidence that it was a processor rather than a controller. 


19. The Commissioner has reviewed the Terms and the Processing 
Agreement and remains of the view that EML is a controller. The 
Terms and Processing Agreement demonstrate that D 
licenses data to EML so that EML can enter into subscription 
agreements with third parties to supply them with that data. The 
choice as to which third parties are supplied with data is a decision 
made by EML. The purposes of processing data in this way 
(disclosure to third parties) are determined by EML. EML also 
selects the means by which the data are processed. The Terms 
provides EML with a broad discretion to undertake many processing 
activities including using the data, creating derived data, storing the 
data, and manipulating the data (see generally, Clause 10 of the 


Terms). 


20. 


21. 


22. 


23. 


Further, the Processing Agreement does not provide support for 
EML’s claim. The Processing Agreement does not adopt a clear 
position on whether the Data Receiver (EML) is a controller or 


processor. Indeed, para 3.1 states that EML 


“.. IS either a Data Controller or a Data Processor in their capacity 
as foreseen under this Agreement. The Data Receiver acknowledges 
that, if acting as a Data Processor, they could be deemed to be a 
Data Contoller depending upon their use of the Shared Personal 
Data and would be deemed to be a Data Controller if they make use 
of the Shared Personal Data in a way that is not in accordance with 


this Agreement.” 


In any event, even if EML were characterised as a processor by the 
Terms of the Processing Agreement, that does not determine 
whether EML is a processor or a controller. That must be 
determined by reference to the definitions in the UK GDPR and the 
DPA 2018. 


The Processing Agreement requires the parties to process the 


Shared Personal Data for the “Agreed Purpose”, namely: 


“To broadcast marketing emails on behalf of a customer or to share 
the data for email marketing purposes with a customer who is 
promoting products or services within the Categories of Recipients 
where a consumer has given consent for a third party marketing or 
where there is a legitimate interest to share the data for marketing 


purpose.” 


This purpose is too broadly expressed to constitute a genuine 
restriction on the purposes for individual acts of processing. 
It remains the case that EML is able to determine if, when and for 


what purposes (within the scope of the broadly expressed Agreed 
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Purpose) processing should take place as well as the means by 


which the data is processed. 


24. The Commissioner is accordingly satisfied that, with respect to data 
obtained from i and licensed to customers of EML, EML 
determines the purposes of that processing and the means by which 


it is done. It is, accordingly, a controller with respect to that data. 


25. The Commissioner notes that EML provided a revised Data 
Processing Agreement in response to the further invitation to make 
representations. That Agreement was provided in template form, 
with no reference to how the relationship with putative data 
controllers operates in practice. No evidence of any executed 
agreement was provided. The revised Data Processing Agreement 
does not alter the fact that EML previously mischaracterised itself as 


a processor. 


26. Further, EML informed the Commissioner that it was now - having 
seen the Commissioner's Preliminary Enforcement Notice - 
operating “purely as an introducer”. No acceptable explanation was 
provided as to the actual practices adopted by EML, or how it 
conceived the role of an “introducer” fit within the data protection 
concepts of “controllers” and “processors”. The Commissioner is 
also not satisfied, on the basis of the information that has now been 
provided, that EML does not continue to mischaracterise itself as 


such. 
The Failure 


27. The Commissioner is of the view that EML has processed, and is 


processing, personal data in a manner that is not fair, lawful, or 


28. 


29. 


30. 


31. 


transparent, thereby failing to comply with UK GDPR Art 5(1)(a). 


The Commissioner's reasons for forming this view are as follows. 


EML has not sought to identify the lawful basis upon which it 
processes personal data when engaging in business to consumer 
marketing. This appears to be the consequence of its 
misclassification as a data processor. In response to a request for 
policies concerning privacy and data protection, EML provided a 
number of policies. None of those policies addressed the manner in 
which, and the purposes for which, EML processed data provided to 


it by third parties in business to consumer marketing. 


However, EML has informed the Commissioner that it relies on EE 
GE to provided appropriately consented marketing lists. On 
this basis, the Commissioner infers that EML relies upon consent as 
the basis for processing. The Commissioner does not accept that 


any consent to processing provided to {EEE is effective 
to permit processing by EML. 


The Commissioner understands that acquires 
personal data from the following sources: 


a. the MY website owned by ME and 


b. the MT website operated by EE. 


The I website includes a link to the p 


privacy policy. That policy states that they will “Pass on your details 
to selected Companies and Trusted Partners which provide you with 
other offers and promotions of interest to you”. The policy lists only 
a selection of those “partners”. Despite that selection being lengthy 


and covering a very broad range of named companies, it does not 


32. 


33: 


identify ether or EML as potential third party 


recipients of personal data. The policy further does not indicate that 
those third party recipients may themselves disclose personal data 


to additional unnamed third parties for any purpose. 


EE Privacy policy indicates that personal data may be 
shared with marketing service providers. The policy states that 


those providers may combine the information with data from other 
sources, analyse and profile it and pass their knowledge on to other 
companies. It also indicates that names and addresses may be 
passed on by those providers to other companies so that those 
other companies can contact the individual about relevant products, 
services and offers. It states that this will occur “either directly or 
indirectly via a data broker who may legitimately process your 
data”. The list of marketing service providers includes aa) 
but not EML. The companies that marketing service providers may 


disclose personal data to are also not identified. 


Further, ji privacy policy indicates that it will share 


personal data for commercial gain with third parties who “have a 
relationship with you” or where the third party has “a lawful reason, 
which may include the organisation’s own legitimate interest”. It 
states that that “data will be used ... to create a data product ... in 
line with ICO code of practice”. It is unclear what ICO Code of 
Practice this was intended to refer to. The specific third parties with 
whom data may be shared for these purposes are not identified. 
The policy also indicates that data will be shared with specified 
“Marketing Services Providers and special Marketing Agencies”. 
is identified as a potential third party recipient, but 
EML is not. A link for more information about J takes the 


user to the iE website, which identifies EML as a 


“marketing partner”. 
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34. 


35. 


36. 


37. 


38. 


The ICO’s Guidance on Consent under the GDPR makes clear that 
for consent to be “specific and informed”, it must specifically 
identify the controller collecting the data and name any third party 
controllers who will be relying upon the consent. Consent for 
purchased “consented” data is valid only if the purchaser is 
specifically identified at the time consent is given. That has not 


occurred here. 


EML is not identified as an organisation that may ultimately process 
an individual’s data at the point where consent is obtained. The 
identity of EML’s client would also not be clear to the data subject at 


the time consent is given. 


Accordingly, the Commissioner is of the view that any consent given 
at the point of collection was not sufficiently specific or informed to 
extend so far as consenting to disclosure to EML or one of EML’s 
customers. Any “consent” to processing could not extend to the 
obtaining of that data by EML, processing of that data by EML, or 


disclosure by EML to any of its clients. 


Further, irrespective of the Commissioner’s views about the 
lawfulness of processing by EML, the Commissioner is also of the 
view that the methods of collection identified above demonstrate 
that EML is not processing personal data in a transparent way. This 
is because (a) data subjects are unlikely to be aware that EML is 
processing their data at all; and (b) the identity of any EML client 
and how they would process the personal data is unlikely to be clear 


to the data subject at the time of collection. 


Accordingly, the Commissioner is of the opinion that EML has failed 
to comply with its obligation to process data fairly, lawfully and 
transparently under Article 5(1)(a) of the UK GDPR. 
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Damage/ distress 


39. 


40. 


The Commissioner has considered, as she is required to do under 
DPA 2018 s 149(2), whether the failure has caused, or is likely to 
cause, any person damage or distress. The sale of lists of personal 
data can cause substantial damage and distress. Such damage and 
distress can result in individuals being bombarded with unwanted 
direct marketing, or their data falling into the hands of 


unscrupulous individuals including scammers. 


Moreover, data subjects are, at the least, likely to be concerned 
about the processing of their personal data in circumstances where 
they are not aware of the identity of the controller and where the 
nature of, and purposes of, processing have not been clearly drawn 


to their attention. 


Requirements 


41. 


In view of the matters referred to above, the Commissioner is of the 
opinion that it is appropriate, in the exercise of her powers under 
DPA 2018 section 149, that she require EML, within three months, 


to: 


a. Notify all data subjects whose personal data are being 
processed by EML of the matters required by UK GDPR Art 14 
including, but not limited to, the purposes of the processing 
for which the personal data are intended as well as the legal 
basis for the processing, the categories of personal data 
concerned, and the recipients or categories of recipients of 


the personal data. 
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42. 


43. 


b. Cease processing the personal data of any data subject to 
whom an Article 14-compliant notice is not sent or cannot be 


sent because EML does not possess contact information. 


c. Cease processing personal data (as described in this 
Enforcement Notice) purportedly obtained and/or otherwise 


processed on the basis of consent. 


d. Ensure that appropriate records are kept as to what 
individuals have consented to; including the information they 
were provided with at the time of consent, when they 


consented, and how they provided that consent. 


The Commissioner considers that the above requirements are 


appropriate for the purpose of remedying the failure identified. 


In representations to the Commissioner, EML initially claimed to 
have already complied with the requirements above. No evidence 
was provided at that time to demonstrate compliance. In 
subsequent representations, EML claimed that “Any personal data 
being processed on the basis of consents that are insufficiently 
specific, informed and not freely given has been deleted from the 
company”. No explanation was given by EML as to how it formed 
the view about the sufficiency of the data subject’s consent, or how 
much data had in fact been deleted by it. Having regard to the 
additional evidence provided by EML, the Commissioner nonetheless 
considers that it is appropriate to impose the requirements set out 


above. 


Consequences of Failing to Comply with the Notice 


44, 


If a person fails to comply with an Enforcement Notice, the 


Commissioner may serve a penalty notice on that person under 
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section 155(1)(b) DPA, requiring payment of a penalty in an 
amount up to £17,500,000 or 4% of annual worldwide turnover, 


whichever is the higher. 


Right of Appeal 


45. 


By virtue of section 162(1)(c) DPA there is a right of appeal against 
this Notice to the First-tier Tribunal (Information Rights). If an 
appeal is brought against this Notice, it need not be complied with 
pending determination or withdrawal of that appeal. Information 


about the appeals process may be obtained from: 


First-tier Tribunal (Information Rights) 
GRC Tribunals 

PO Box 9300 

Leicester 

LE1 8DJ 

Tel: 0300 1234504 

Fax: 0870 7395836 

Email: GRC@hmcts.gsi.gov.uk 


Website: www.justice.gov.uk/tribunals/general-regulatory-chamber 


Any Notice of Appeal should be served on the Tribunal within 28 


calendar days of the date on which this Notice is sent. 


Dated the 22™ day of June 2021 


Stephen Eckersley 

Director of Investigations 
Information Commissioner's Office 
Wycliffe House 

Water Lane 
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Wilmslow 
Cheshire 
SK9 5AF 
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